Here is my defined ppolicy. I have defined in my
/etc/ldap.conf pam_password exop. Password history and check_password was
working when I had pam_password md5. I wonder if it has something to do with
the way the password is being hashed.
dn: cn=default,ou=policies,dc=turbocorp,dc=com
cn: default
sn: surname
objectClass: pwdPolicy
objectClass: person
objectClass: top
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdInHistory: 3
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdMinAge: 0
pwdExpireWarning: 1209600
pwdCheckModule: /usr/local/libexec/openldap/check_password.so
pwdGraceAuthNLimit: 3
pwdFailureCountInterval: 86400
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdMaxAge: 172800
John Allgood
Senior Systems Administrator
OHL Transportation Services
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
From: Adam Leach
[mailto:adam.m.leach@gmail.com]
Sent: Thursday, June 24, 2010 11:24 AM
To: Allgood, John
Cc: SATOH Fumiyasu; openldap-technical@openldap.org
Subject: Re: openldap pwdReset
It would help if you would
attach the ppolicy that this entry uses in order to make sure it is configured
correctly...
On Thu, Jun 24, 2010 at 7:56 AM, Allgood, John <jallgood@ohl.com> wrote:
Yes I set that yesterday but now my password history is not
working. It seems when I get one thing working something else breaks. Any ideas
on the password history?
John Allgood
Senior Systems Administrator
OHL Transportation Services
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.com
www.ohl.com
> -----Original Message-----
> From: SATOH Fumiyasu [mailto:fumiyas@osstech.jp]
> Sent: Wednesday, June 23, 2010 8:23 PM
> To: Allgood, John
> Cc: 'openldap-technical@openldap.org'
> Subject: Re: openldap pwdReset
>
> Hi,
>
> At Wed, 23 Jun 2010 08:39:03 -0500,
> Allgood, John wrote:
> > I have a question for you all. I am using openldap 2.4.31 on Centos
> 5.5 and using the ppolicy overlay. I have also compiled the smbk5
> module to update the samba attr when the user password is updated. My
> problem is to change the password and have the samba password update I
> have to use ldappasswrd which works great. If I force a pwdReset and
> login via gdm the password program take over and sets the posix
> password but this does not change the samba side nor does it adhere to
> the ppolicy. I am thinking this may something related to
> /etc/pamd/system-auth file but not sure. Any feedback would be
> appreciated.
>
> If you are using PADL pam_ldap.so (included in nss_ldap package),
> you must set "pam_password exop" in your /etc/ldap.conf.
>
> --
> -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp)
> -- Business Home: http://www.OSSTech.co.jp/
> -- Personal Home: http://www.SFO.jp/blog/
______________________________________________________
This e-mail transmission may contain information that is proprietary,
privileged and/or confidential and is intended exclusively for the person(s) to
whom it is addressed. Any use, copying, retention or disclosure by any person
other than the intended recipient or the intended recipient's designees is
strictly prohibited. If you are not the intended recipient or their designee,
please notify the sender immediately by return e-mail and delete all copies.
--
Adam Leach
BS Computer/Electrical Engineering
West Virginia University
Systems Administrator - Raytheon
(304)677-4455